HTB banner

HTB: Linux - Reset

Reset chains a password-reset oracle and SQLi-leaked admin hash into an authenticated dashboard, an LFI that is weaponised through Apache log poisoning for RCE as www-data, a misconfigured /etc/hosts.equiv r-services trust that pivots laterally to two separate users, and finally an lxd group membership that mounts the host filesystem for root.

HTB banner

HTB: Linux - Trick

Trick is an Easy Linux machine built around enumeration. A misconfigured DNS zone transfer plus virtual-host fuzzing reveal hidden subdomains, an LFI on one of them leaks an SSH key, and a user in the security group abuses a writable fail2ban action directory to get root once a ban fires.

HTB banner

HTB: Linux - Bashed

Bashed is a fairly easy machine which focuses mainly on fuzzing and locating important files. As basic access to the crontab is restricted

Offsec banner

PG Practice: Linux - Nibbles

Leverage a misconfigured PostgreSQL database server that is listening on all interfaces with default credentials to gain code execution in this lab. Next, exploit misconfigured SUID permissions on the /usr/bin/find binary for privilege escalation. This approach enhances your skills in identifying misconfigurations and escalating privileges effectively.

Offsec banner

PG Practice: Linux - Payday

In this lab, you will exploit a Local File Inclusion (LFI) vulnerability in an outdated version of CS Cart installed on the PayDay lab. This lab enhances your skills in vulnerability detection, exploitation, and system access techniques.

Offsec banner

PG Practice: Linux - LaVita

The lab will leverage enumeration techniques, including web enumeration, to uncover potential vulnerabilities. You will also exploit CVE-2021-3129 and demonstrate how to abuse SUDO permissions for unauthorized access. This lab focuses on understanding and exploiting vulnerabilities to enhance security awareness.

Offsec banner

PG Practice: Windows - Algernon

This lab demonstrates exploiting a remote code execution vulnerability in SmarterMail build 6985 to gain SYSTEM-level access on a Windows server. Learners will identify the application version, leverage an RCE exploit, and use a reverse shell payload to compromise the target. This lab emphasizes web application exploitation and highlights the risks of unpatched software.

Offsec banner

PG Practice: Linux - Exfiltrated

In this lab, we will exploit the target through an authenticated file upload bypass vulnerability in Subrion CMS that leads to remote code execution. We will then exploit a root cron job via a script running exiftool every minute.

Offsec banner

PG Practice: Linux - Twiggy

This lab demonstrates exploiting a pre-auth remote code execution vulnerability in SaltStack Master (CVE-2020-11651). Learners will leverage the SaltStack API to execute arbitrary commands, resulting in a root shell on the target. This lab highlights the risks of unpatched critical vulnerabilities in infrastructure management tools.

HTB banner

HTB: AD — Flight

Flight is a hard Windows machine that starts with a website with two different virtual hosts. One of them is vulnerable to LFI and allows an attacker to retrieve an NTLM hash. Once cracked, the obtained clear text password will be sprayed across a list of valid usernames to discover a password re-use scenario. Once the attacker has SMB access as the user s.moon he is able to write to a share that gets accessed by other users. Certain files can be used to steal the NTLMv2 hash of the users that access the share. Once the second hash is cracked the attacker will be able to write a reverse shell in a share that hosts the web files and gain a shell on the box as low privileged user. Having credentials for the user c.bum, it will be possible to gain a shell as this user, which will allow the attacker to write an aspx web shell on a web site that’s configured to listen only on localhost. Once the attacker has command execution as the Microsoft Virtual Account he is able to run Rubeus to get a ticket for the machine account that can be used to perform a DCSync attack ultimately obtaining the hashes for the Administrator user.